Been there -- I don't know about availability, but this is what we have to
do for people working at home through their ISP. I'm assuming NAT
produces similar problems. You can use CMAN for firewall tunnelling with
or without MTS, don't know about connection concentration, though, as we
don't need it yet.
Background: on NT and some other OS's, Oracle listeners use a different
port for reply (like FTP does), so the NAT server doesn't equate the
incoming reply packets with the outgoing connection. Most NAT servers
recognize and compensate for FTP connections, but not for Oracle. CMAN
will not redirect its clients to another port, so the server-side redirect
is hidden and the client remains connected.
Fix: On the server subnet, establish a CMAN server with a fixed address
and (if necesary) make the firewall server route all incoming connections
to 1620 (or whatever port you're using) to it. You'll need to use a
different port than the Oracle listener if you're running CMAN on the
oracle server. See the docs to configure CMAN appropriately for your
network security needs. By default it's fairly promiscuous so you'll
probably want to make sure it only connects to Oracle servers inside your
subnets, and you may want to restrict the outside addresses it will
serve. Once I copied the sample config files into the ADMIN directory I
was able to get it running with no complications, but I did revisit the
routing issue for our site.
In the TNSNAMES file of the client (or in the naming service, whatever
you're using) add (SOURCE_ROUTE=ON) and add an address line for each CMAN
server needed to reach the oracle server (if, for instance, you have
multiple DMZ layers you may need multiple CMAN servers to make connections
visible.). The CMAN servers will be sent the description information and
will establish the connection to the next leg of the route (another CMAN
server or the data server). Naturally, each CMAN server needs to be able
to resolve the address of the server that comes after it in the route.
Since you didn't list the errors, I assume this will work. It's possible
the client needs a CMAN server on the back side of their NAT server, too,
but probably not, unless you're doing server-to-server connections. If
they do, just add it to the address list in the appropriate order.
Here's a sample TNSNAMES entry (this is what gave me the most trouble):
MYSERVER.MY.ORG =
(DESCRIPTION =
(SOURCE_ROUTE = ON)
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = FIREWALL.MY.ORG )(PORT = 1620))
(ADDRESS = (PROTOCOL = TCP)(HOST = MYSERVER.MY.ORG)(PORT = 1521))
)
(CONNECT_DATA =
(SERVICE_NAME = MY_SERVICE.MY.ORG)
)
)
Hope that helps!
[EMAIL PROTECTED] wrote:
> Looking for some help with Connection Manager.
> Suddenly got hit with a NAT issue from a customer site.
>
> Any suggestions on the use of Connection manager to alleviate this
> situation would be appreciated.
>
> Also:
>
> a) Does Connection manager require the use of MTS?
>
> b) Is Connection manager available with both Standard edition and
> Enterprise edition?
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author:
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
begin:vcard
n:Jerman;Don
tel;work:919.508.1886
x-mozilla-html:TRUE
org:Database Management Service,Information Technology,Division of Highways
version:2.1
email;internet:[EMAIL PROTECTED]
title:Database Administrator
adr;quoted-printable:;;Database Management Service,Information Technology,Division of Highways=0D=0A104 Fayetteville Street Mall;Raleigh;NC;27699-1521;USA
x-mozilla-cpt:;-9536
fn:Don Jerman
end:vcard
